[ http://issues.apache.org/jira/browse/STDCXX-69?page=comments#action_12358052 ] Martin Sebor commented on STDCXX-69: ------------------------------------ Filed here: http://lab.msdn.microsoft.com/ProductFeedback/viewfeedback.aspx?feedbackid=fe5eb46e-228b-4e16-a4ff-fa8cba3b7955 ====================================================================== Bug ID: FDBK40794 Problem Type: Bug Status: New Microsoft Status: Under Review Opened Date: 2005-11-18 16:23:39 Opened By: Martin Sebor Product/Technology: Visual C++ Version: Visual Studio 2005 Product Language: English Category: Libraries OS: Windows 2000 Server OS Language: US English Submission Language: English ====================================================================== Description: Opened by Martin Sebor on 2005-11-18 at 16:23:39 Similarly to FDBK40793, the C standard library function wcsxfrm() corrupts memory past the end of the destination buffer. Edited by Martin Sebor on 2005-11-18 at 16:29:41 FWIW, I see in our records that we reported this bug against MSVC 6 and that it was fixed in MSVC 7 (the test case passes with it), so this must be a regression. ====================================================================== Steps to Reproduce: $ cat t.cpp && cl t.cpp && ./t.exe #include #include #include int main () { setlocale (LC_COLLATE, "ENU"); wchar_t s1 [2] = { L'*', L'*' }; wcsxfrm (s1, L"", 0); assert (L'*' == s1 [0] && L'*' == s1 [1]); } Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.42 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. t.cpp Microsoft (R) Incremental Linker Version 8.00.50727.42 Copyright (C) Microsoft Corporation. All rights reserved. /out:t.exe t.obj Assertion failed: L'*' == s1 [0] && L'*' == s1 [1], file t.cpp, line 11 This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. ====================================================================== Actual Results: Runtime error. Expected Results: No error. > [MSVC 6,8] wcsxfrm (s1, s2, 0) writes past the end of the destination buffer > ---------------------------------------------------------------------------- > > Key: STDCXX-69 > URL: http://issues.apache.org/jira/browse/STDCXX-69 > Project: STDCXX > Type: Bug > Versions: 4.1.2 > Environment: MSVC 6, 8 > Reporter: Martin Sebor > Fix For: 4.1.3 > > When compiled with MSVC 6 and 8 (but not 7.1), the program below segfaults at runtime: > $ cat t.cpp ; cl t.cpp && ./t.exe > #include > #include > int main () > { > if (setlocale (LC_COLLATE, "ENU")) > wcsxfrm (0, L"\x83", 0); > } > Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86 > Copyright (C) Microsoft Corp 1984-1998. All rights reserved. > t.cpp > t.cpp(8) : warning C4508: 'main' : function should return a value; 'void' return type assumed > Microsoft (R) Incremental Linker Version 6.00.8447 > Copyright (C) Microsoft Corp 1992-1998. All rights reserved. > /out:t.exe > t.obj > [1] + Done(139) cat t.cpp ; cl t.cpp && ./t.exe > 527 Segmentation violation ./t.exe -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira